Blame SOURCES/esc-1.1.0-fix6.patch

f35d1b
--- ./esc/src/lib/NssHttpClient/engine.h.fix6	2009-06-19 16:07:39.000000000 -0700
f35d1b
+++ ./esc/src/lib/NssHttpClient/engine.h	2009-06-19 16:07:44.000000000 -0700
f35d1b
@@ -22,9 +22,17 @@
f35d1b
 #include "response.h"
f35d1b
 #include "request.h"
f35d1b
 
f35d1b
+struct BadCertData {
f35d1b
+ PRErrorCode error;
f35d1b
+ PRInt32 port;
f35d1b
+};
f35d1b
+
f35d1b
+typedef struct BadCertData BadCertData;
f35d1b
+
f35d1b
+
f35d1b
 class __EXPORT Engine {
f35d1b
     public:
f35d1b
-        Engine() {};
f35d1b
+        Engine() { _certData = NULL; _sock=NULL;};
f35d1b
         ~Engine() {};
f35d1b
 
f35d1b
         PRFileDesc *_doConnect(PRNetAddr *addr, PRBool SSLOn = PR_FALSE,
f35d1b
@@ -37,7 +45,8 @@
f35d1b
         static PRIntervalTime globaltimeout;
f35d1b
 
f35d1b
         PRFileDesc *_sock;
f35d1b
-
f35d1b
+        BadCertData *_certData;
f35d1b
+        BadCertData *getBadCertData() { return _certData;}
f35d1b
         PRFileDesc *getSocket() { return _sock;}
f35d1b
 
f35d1b
         bool connectionClosed ;
f35d1b
--- ./esc/src/lib/NssHttpClient/engine.cpp.fix6	2009-06-19 16:07:12.000000000 -0700
f35d1b
+++ ./esc/src/lib/NssHttpClient/engine.cpp	2009-06-19 16:07:29.000000000 -0700
f35d1b
@@ -16,6 +16,8 @@
f35d1b
  * All rights reserved.
f35d1b
  * END COPYRIGHT BLOCK **/
f35d1b
 
f35d1b
+#define FORCE_PR_LOG 1
f35d1b
+
f35d1b
 #include <nspr.h>
f35d1b
 #include "sslproto.h"
f35d1b
 #include <prerror.h>
f35d1b
@@ -27,7 +29,7 @@
f35d1b
 #include "certt.h"
f35d1b
 #include "sslerr.h"
f35d1b
 #include "secerr.h"
f35d1b
-
f35d1b
+#include "CoolKey.h"
f35d1b
 #include "engine.h"
f35d1b
 #include "http.h"
f35d1b
 
f35d1b
@@ -39,6 +41,9 @@
f35d1b
 int cipherCount = 0;
f35d1b
 int _doVerifyServerCert = 1;
f35d1b
 
f35d1b
+PRLogModuleInfo *httpEngineLog = PR_NewLogModule("coolKeyHttpEngine");
f35d1b
+
f35d1b
+
f35d1b
 PRIntervalTime Engine::globaltimeout = PR_TicksPerSecond()*30;
f35d1b
 
f35d1b
 /**
f35d1b
@@ -56,13 +61,26 @@
f35d1b
     SECStatus    secStatus = SECFailure;
f35d1b
     PRErrorCode    err;
f35d1b
 
f35d1b
+    char tBuff[56];
f35d1b
+
f35d1b
+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,
f35d1b
+                          ("%s myBadCertHandler enter. \n",GetTStamp(tBuff,56)));
f35d1b
+
f35d1b
     /* log invalid cert here */
f35d1b
 
f35d1b
     if ( !arg ) {
f35d1b
         return secStatus;
f35d1b
     }
f35d1b
 
f35d1b
-    *(PRErrorCode *)arg = err = PORT_GetError();
f35d1b
+    err = PORT_GetError();
f35d1b
+
f35d1b
+    BadCertData *data = (BadCertData *) arg;
f35d1b
+    if(data) {
f35d1b
+        data->error = err;
f35d1b
+    }
f35d1b
+
f35d1b
+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,
f35d1b
+                          ("%s myBadCertHandler err: %d .  \n",GetTStamp(tBuff,56),err));
f35d1b
 
f35d1b
     /* If any of the cases in the switch are met, then we will proceed   */
f35d1b
     /* with the processing of the request anyway. Otherwise, the default */    
f35d1b
@@ -91,6 +109,10 @@
f35d1b
     break;
f35d1b
     }
f35d1b
 
f35d1b
+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,
f35d1b
+                          ("%s myBadCertHandler status: %d .  \n",GetTStamp(tBuff,56),secStatus));
f35d1b
+
f35d1b
+
f35d1b
     return secStatus;
f35d1b
 }
f35d1b
 
f35d1b
@@ -416,7 +438,6 @@
f35d1b
     return;
f35d1b
 }
f35d1b
 
f35d1b
-
f35d1b
 void Engine::CloseConnection()
f35d1b
 {
f35d1b
     connectionClosed = true;
f35d1b
@@ -426,7 +447,14 @@
f35d1b
         PR_Close(_sock);
f35d1b
         _sock = NULL;
f35d1b
     }
f35d1b
+
f35d1b
+    if(_certData)
f35d1b
+    {
f35d1b
+        delete _certData;
f35d1b
+        _certData = NULL;
f35d1b
+    }
f35d1b
 }
f35d1b
+
f35d1b
 /**
f35d1b
  * Returns a file descriptor for I/O if the HTTP connection is successful
f35d1b
  * @param addr PRnetAddr structure which points to the server to connect to
f35d1b
@@ -442,21 +470,19 @@
f35d1b
     PRFileDesc *tcpsock = NULL;
f35d1b
     PRFileDesc *sock = NULL;
f35d1b
     connectionClosed = false;
f35d1b
+    _certData = new BadCertData();
f35d1b
 
f35d1b
     tcpsock = PR_OpenTCPSocket(addr->raw.family);
f35d1b
-   
f35d1b
 
f35d1b
     if (!tcpsock) {
f35d1b
-
f35d1b
         return NULL;
f35d1b
     }
f35d1b
 
f35d1b
     nodelay(tcpsock);
f35d1b
 
f35d1b
     if (PR_TRUE == SSLOn) {
f35d1b
-        sock=SSL_ImportFD(NULL, tcpsock);
f35d1b
-
f35d1b
 
f35d1b
+        sock=SSL_ImportFD(NULL, tcpsock);
f35d1b
         if (!sock) {
f35d1b
             //xxx log
f35d1b
             if( tcpsock != NULL ) {
f35d1b
@@ -516,9 +542,23 @@
f35d1b
 
f35d1b
         PRErrorCode errCode = 0;
f35d1b
 
f35d1b
-        rv = SSL_BadCertHook( sock,
f35d1b
+        if(_certData) {
f35d1b
+            _certData->error = errCode;
f35d1b
+            _certData->port  = PR_ntohs(PR_NetAddrInetPort(addr));
f35d1b
+        }
f35d1b
+
f35d1b
+        CoolKeyBadCertHandler overriddenHandler =  CoolKeyGetBadCertHandler();
f35d1b
+
f35d1b
+        if(overriddenHandler)  {
f35d1b
+            rv = SSL_BadCertHook( sock,
f35d1b
+                              (SSLBadCertHandler)overriddenHandler,
f35d1b
+                               (void *)_certData);
f35d1b
+        } else {
f35d1b
+            rv = SSL_BadCertHook( sock,
f35d1b
                               (SSLBadCertHandler)myBadCertHandler,
f35d1b
-                              &errCode );
f35d1b
+                              (void *)_certData);
f35d1b
+        }
f35d1b
+
f35d1b
         rv = SSL_SetURL( sock, serverName );
f35d1b
 
f35d1b
         if (rv != SECSuccess ) {
f35d1b
@@ -536,8 +576,6 @@
f35d1b
         sock = tcpsock;
f35d1b
     }
f35d1b
 
f35d1b
-  
f35d1b
-
f35d1b
     if ( PR_Connect(sock, addr, timeout) == PR_FAILURE ) {
f35d1b
 
f35d1b
         if( sock != NULL ) {
f35d1b
@@ -563,11 +601,17 @@
f35d1b
                                           const PSHttpServer& server,
f35d1b
                                           int timeout, PRBool expectChunked ,PRBool processStreamed) {
f35d1b
     PRNetAddr addr;
f35d1b
-    PRFileDesc *sock = NULL;
f35d1b
     PSHttpResponse *resp = NULL;
f35d1b
 
f35d1b
     PRBool response_code = 0;
f35d1b
 
f35d1b
+    char tBuff[56];
f35d1b
+
f35d1b
+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,
f35d1b
+                          ("%s HttpEngine::makeRequest  enter. \n",GetTStamp(tBuff,56)));
f35d1b
+
f35d1b
+
f35d1b
+
f35d1b
     server.getAddr(&addr);
f35d1b
 
f35d1b
     char *nickName = request.getCertNickName();
f35d1b
@@ -575,8 +619,17 @@
f35d1b
     char *serverName = (char *)server.getAddr();
f35d1b
     _sock = _doConnect( &addr, request.isSSL(), 0, 0,nickName, 0, serverName );
f35d1b
 
f35d1b
+    PR_LOG(httpEngineLog, PR_LOG_DEBUG,
f35d1b
+                          ("%s HttpEngine::makeRequest  past doConnect sock: %p. \n",
f35d1b
+                          GetTStamp(tBuff,56),_sock));
f35d1b
+
f35d1b
     if ( _sock != NULL) {
f35d1b
         PRBool status = request.send( _sock );
f35d1b
+
f35d1b
+        PR_LOG(httpEngineLog, PR_LOG_DEBUG,
f35d1b
+                          ("%s HttpEngine::makeRequest  past request.send status: %d. \n",
f35d1b
+                          GetTStamp(tBuff,56),status));
f35d1b
+
f35d1b
         if ( status ) {
f35d1b
             resp = new PSHttpResponse( _sock, &request, timeout, expectChunked ,this);
f35d1b
             response_code = resp->processResponse(processStreamed);
f35d1b
--- ./esc/src/lib/NssHttpClient/manifest.mn.fix6	2009-06-19 16:08:05.000000000 -0700
f35d1b
+++ ./esc/src/lib/NssHttpClient/manifest.mn	2009-06-19 16:08:13.000000000 -0700
f35d1b
@@ -24,7 +24,7 @@
f35d1b
 MODULE		= httpchunked
f35d1b
 LIBRARY_NAME	= $(MODULE)
f35d1b
 SHARED_NAME	= $(MODULE)
f35d1b
-REQUIRES	= nss nspr 
f35d1b
+REQUIRES	= nss nspr ckymanager
f35d1b
 ifndef MOZ_OFFSET
f35d1b
 MOZ_OFFSET	= mozilla-1.7.13
f35d1b
 endif
f35d1b
--- ./esc/src/lib/coolkey/NSSManager.h.fix6	2009-06-19 16:06:41.000000000 -0700
f35d1b
+++ ./esc/src/lib/coolkey/NSSManager.h	2009-06-19 16:06:47.000000000 -0700
f35d1b
@@ -70,6 +70,8 @@
f35d1b
 
f35d1b
   static HRESULT  GetKeyCertNicknames( const CoolKey *aKey,  vector<string> & aStrings  ); 
f35d1b
 
f35d1b
+  static HRESULT GetKeyUID(const CoolKey *aKey, char *aBuf, int aBufLength);
f35d1b
+
f35d1b
   static HRESULT GetKeyIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength);
f35d1b
 
f35d1b
   static HRESULT GetKeyIssuer(const CoolKey *aKey, char *aBuf, int aBufLength);
f35d1b
--- ./esc/src/lib/coolkey/CoolKey.cpp.fix6	2009-06-19 16:02:43.000000000 -0700
f35d1b
+++ ./esc/src/lib/coolkey/CoolKey.cpp	2009-06-19 16:03:03.000000000 -0700
f35d1b
@@ -259,12 +259,14 @@
f35d1b
 static CoolKeyRelease g_Release = NULL;
f35d1b
 static CoolKeyGetConfigValue g_GetConfigValue = NULL;
f35d1b
 static CoolKeySetConfigValue g_SetConfigValue = NULL;
f35d1b
+static CoolKeyBadCertHandler g_BadCertHandler = NULL;
f35d1b
 
f35d1b
 char* CoolKeyVerifyPassword(PK11SlotInfo *,PRBool,void *);
f35d1b
 
f35d1b
 COOLKEY_API HRESULT CoolKeySetCallbacks(CoolKeyDispatch dispatch,
f35d1b
 	CoolKeyReference reference, CoolKeyRelease release,
f35d1b
-        CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue)
f35d1b
+        CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue,
f35d1b
+        CoolKeyBadCertHandler badcerthandler)
f35d1b
 {
f35d1b
     char tBuff[56];
f35d1b
     g_Dispatch = dispatch;
f35d1b
@@ -272,6 +274,7 @@
f35d1b
     g_Release = release;
f35d1b
     g_GetConfigValue = getconfigvalue;
f35d1b
     g_SetConfigValue = setconfigvalue;
f35d1b
+    g_BadCertHandler = badcerthandler;
f35d1b
 
f35d1b
     char * suppressPINPrompt =(char*) CoolKeyGetConfig("esc.security.url");
f35d1b
 
f35d1b
@@ -997,6 +1000,16 @@
f35d1b
   
f35d1b
     return NSSManager::GetKeyPolicy(aKey, aBuf, aBufLen);
f35d1b
 }
f35d1b
+
f35d1b
+HRESULT
f35d1b
+CoolKeyGetUID(const CoolKey *aKey, char *aBuf, int aBufLength)
f35d1b
+{
f35d1b
+    if (!aKey || !aKey->mKeyID || !aBuf || aBufLength < 1)
f35d1b
+        return E_FAIL;
f35d1b
+
f35d1b
+    return NSSManager::GetKeyUID(aKey,aBuf,aBufLength);
f35d1b
+}
f35d1b
+
f35d1b
 HRESULT
f35d1b
 CoolKeyGetIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength)
f35d1b
 {
f35d1b
@@ -1290,6 +1303,13 @@
f35d1b
     return aCUID;
f35d1b
 }
f35d1b
 
f35d1b
+CoolKeyBadCertHandler CoolKeyGetBadCertHandler()
f35d1b
+{
f35d1b
+    if(g_BadCertHandler)
f35d1b
+        return g_BadCertHandler;
f35d1b
+    return NULL;
f35d1b
+}
f35d1b
+
f35d1b
 const char *CoolKeyGetConfig(const char *aValue)
f35d1b
 {
f35d1b
     if(!g_GetConfigValue || ! aValue)
f35d1b
--- ./esc/src/lib/coolkey/manifest.mn.fix6	2009-06-19 16:05:45.000000000 -0700
f35d1b
+++ ./esc/src/lib/coolkey/manifest.mn	2009-06-19 16:05:54.000000000 -0700
f35d1b
@@ -19,7 +19,6 @@
f35d1b
 
f35d1b
 XULRUNNER_BASE=$(CORE_DEPTH)/dist/$(OBJDIR)//xulrunner_build
f35d1b
 
f35d1b
-
f35d1b
 SYS_INC		= /usr/include
f35d1b
 MODULE		= ckymanager
f35d1b
 LIBRARY_NAME	= $(MODULE)
f35d1b
@@ -41,7 +40,7 @@
f35d1b
 		SmartCardMonitoringThread.cpp \
f35d1b
 		$(NULL)
f35d1b
 
f35d1b
-EXPORTS 	= \
f35d1b
+EXPORTS		= \
f35d1b
 		CoolKey.h \
f35d1b
 		$(NULL)
f35d1b
 
f35d1b
--- ./esc/src/lib/coolkey/NSSManager.cpp.fix6	2009-06-19 16:06:19.000000000 -0700
f35d1b
+++ ./esc/src/lib/coolkey/NSSManager.cpp	2009-06-19 16:06:28.000000000 -0700
f35d1b
@@ -369,7 +369,7 @@
f35d1b
 
f35d1b
     aBuf[0]=0;
f35d1b
 
f35d1b
-    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo \n",GetTStamp(tBuff,56)));
f35d1b
+    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuer \n",GetTStamp(tBuff,56)));
f35d1b
 
f35d1b
     if(!aKey )
f35d1b
         return E_FAIL;
f35d1b
@@ -409,7 +409,7 @@
f35d1b
                         continue;
f35d1b
                     }
f35d1b
                     orgID    = CERT_GetOrgName(&cert->subject);
f35d1b
-                    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo ourSlot %p curSlot  %p org %s \n",GetTStamp(tBuff,56),slot,cert->slot,orgID));
f35d1b
+                    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuer ourSlot %p curSlot  %p org %s \n",GetTStamp(tBuff,56),slot,cert->slot,orgID));
f35d1b
 
f35d1b
                 }
f35d1b
 
f35d1b
@@ -437,6 +437,85 @@
f35d1b
     return S_OK;
f35d1b
 }
f35d1b
 
f35d1b
+HRESULT NSSManager::GetKeyUID(const CoolKey *aKey, char *aBuf, int aBufLength)
f35d1b
+{
f35d1b
+    char tBuff[56];
f35d1b
+    if(!aBuf)
f35d1b
+        return E_FAIL;
f35d1b
+
f35d1b
+    aBuf[0]=0;
f35d1b
+
f35d1b
+    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyUID \n",GetTStamp(tBuff,56)));
f35d1b
+
f35d1b
+    if(!aKey )
f35d1b
+        return E_FAIL;
f35d1b
+
f35d1b
+    PK11SlotInfo *slot = GetSlotForKeyID(aKey);
f35d1b
+
f35d1b
+    if (!slot)
f35d1b
+        return E_FAIL;
f35d1b
+
f35d1b
+    CERTCertList *certs = PK11_ListCerts(PK11CertListAll,NULL);
f35d1b
+
f35d1b
+    if (!certs)
f35d1b
+    {
f35d1b
+        PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%sNSSManager::GetKeyUID no certs found! \n",GetTStamp(tBuff,56)));
f35d1b
+        PK11_FreeSlot(slot);
f35d1b
+        return E_FAIL;
f35d1b
+    }
f35d1b
+
f35d1b
+    CERTCertListNode *node= NULL;
f35d1b
+
f35d1b
+    char *certID = NULL;
f35d1b
+
f35d1b
+    for( node = CERT_LIST_HEAD(certs);
f35d1b
+             ! CERT_LIST_END(node, certs);
f35d1b
+             node = CERT_LIST_NEXT(node))     
f35d1b
+    {     
f35d1b
+        if(node->cert) 
f35d1b
+        {
f35d1b
+            CERTCertificate *cert = node->cert;
f35d1b
+
f35d1b
+            if(cert)
f35d1b
+            {
f35d1b
+                if(cert->slot == slot)
f35d1b
+                {
f35d1b
+                    if(IsCACert(cert))
f35d1b
+                    {
f35d1b
+                        continue;
f35d1b
+                    }
f35d1b
+
f35d1b
+                    certID = CERT_GetCertUid(&cert->subject);
f35d1b
+
f35d1b
+                    PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyUID ourSlot %p curSlot  %p certID %s  \n",GetTStamp(tBuff,56),slot,cert->slot,certID));
f35d1b
+           
f35d1b
+                }
f35d1b
+
f35d1b
+                if(certID)
f35d1b
+                    break;
f35d1b
+            }
f35d1b
+        }
f35d1b
+
f35d1b
+    }
f35d1b
+
f35d1b
+    if(certID && ((int)strlen(certID)  <  aBufLength))
f35d1b
+    {
f35d1b
+        strcpy(aBuf,certID);
f35d1b
+    }
f35d1b
+
f35d1b
+    if(certs)
f35d1b
+      CERT_DestroyCertList(certs);
f35d1b
+
f35d1b
+    if(slot)
f35d1b
+      PK11_FreeSlot(slot);
f35d1b
+
f35d1b
+    if(certID)
f35d1b
+        PORT_Free(certID);
f35d1b
+
f35d1b
+    return S_OK;
f35d1b
+}
f35d1b
+
f35d1b
+
f35d1b
 HRESULT NSSManager::GetKeyIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength)
f35d1b
 {
f35d1b
     char tBuff[56];
f35d1b
@@ -487,6 +566,10 @@
f35d1b
 
f35d1b
                     certID = CERT_GetCommonName(&cert->subject);
f35d1b
 
f35d1b
+                    if(!certID) {
f35d1b
+                        certID = CERT_GetCertUid(&cert->subject);
f35d1b
+                    }
f35d1b
+
f35d1b
                     PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo ourSlot %p curSlot  %p certID %s  \n",GetTStamp(tBuff,56),slot,cert->slot,certID));
f35d1b
 
f35d1b
                 }
f35d1b
--- ./esc/src/lib/coolkey/CoolKey.h.fix6	2009-06-19 16:04:59.000000000 -0700
f35d1b
+++ ./esc/src/lib/coolkey/CoolKey.h	2009-06-19 16:05:05.000000000 -0700
f35d1b
@@ -26,6 +26,7 @@
f35d1b
 // platforms (coreconf will do the appropriate processing.
f35d1b
 #define COOLKEY_API
f35d1b
 
f35d1b
+#include "ssl.h"
f35d1b
 #include <string.h>
f35d1b
 #include <stdlib.h>
f35d1b
 #include <vector>
f35d1b
@@ -100,7 +101,7 @@
f35d1b
 
f35d1b
 typedef HRESULT (*CoolKeySetConfigValue)(const char *name,const char *value);
f35d1b
 typedef const char * (*CoolKeyGetConfigValue)(const char *name);
f35d1b
-
f35d1b
+typedef SECStatus (*CoolKeyBadCertHandler)(void *arg, PRFileDesc *fd);
f35d1b
 
f35d1b
 
f35d1b
 extern "C" {
f35d1b
@@ -112,7 +113,8 @@
f35d1b
 COOLKEY_API HRESULT CoolKeyUnregisterListener(CoolKeyListener* aListener);
f35d1b
 COOLKEY_API HRESULT CoolKeySetCallbacks(CoolKeyDispatch dispatch,
f35d1b
                         CoolKeyReference reference, CoolKeyRelease release,
f35d1b
-                        CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue);
f35d1b
+                        CoolKeyGetConfigValue getconfigvalue,CoolKeySetConfigValue setconfigvalue,
f35d1b
+                        CoolKeyBadCertHandler badcerthandler=NULL);
f35d1b
 
f35d1b
 COOLKEY_API bool    CoolKeyRequiresAuthentication(const CoolKey *aKey);
f35d1b
 COOLKEY_API bool    CoolKeyHasApplet(const CoolKey *aKey);
f35d1b
@@ -133,6 +135,8 @@
f35d1b
 
f35d1b
 COOLKEY_API HRESULT CoolKeyGetCertInfo(const CoolKey *aKey, char *aCertNickname, std::string & aCertInfo);
f35d1b
 
f35d1b
+COOLKEY_API HRESULT CoolKeyGetUID(const CoolKey *aKey, char *aBuf, int aBufLength);
f35d1b
+
f35d1b
 COOLKEY_API HRESULT CoolKeyGetIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength);
f35d1b
 COOLKEY_API HRESULT CoolKeyGetIssuer(const CoolKey *aKey, char *aBuf, int aBufLength);
f35d1b
 
f35d1b
@@ -257,6 +261,9 @@
f35d1b
 
f35d1b
 const char *CoolKeyGetConfig(const char *aName);
f35d1b
 HRESULT     CoolKeySetConfig(const char *aName,const char *aValue);
f35d1b
+CoolKeyBadCertHandler CoolKeyGetBadCertHandler();
f35d1b
+
f35d1b
+
f35d1b
 
f35d1b
 }
f35d1b
 
f35d1b
--- ./esc/src/lib/coolkey/Makefile.fix6	2009-06-19 16:05:24.000000000 -0700
f35d1b
+++ ./esc/src/lib/coolkey/Makefile	2009-06-19 16:05:32.000000000 -0700
f35d1b
@@ -35,6 +35,9 @@
f35d1b
 	echo "Build Linux or Windows."
f35d1b
 	make -f common.mk
f35d1b
 
f35d1b
+export::
f35d1b
+	make -f common.mk export
f35d1b
+
f35d1b
 endif
f35d1b
 
f35d1b
 ifeq ($(OS_ARCH),Darwin)
f35d1b
--- ./esc/src/app/xul/esc/chrome/content/esc/certManager.xul.fix6	2009-06-19 16:01:21.000000000 -0700
f35d1b
+++ ./esc/src/app/xul/esc/chrome/content/esc/certManager.xul	2009-06-19 16:01:43.000000000 -0700
f35d1b
@@ -65,7 +65,7 @@
f35d1b
       <tabs id="certMgrTabbox" onselect="CertsTabsSelected();">
f35d1b
         <tab id="mine_tab" label="&certmgr.tab.mine;" selected="true"/>
f35d1b
         <tab id="others_tab" hidden="true" label="&certmgr.tab.others2;"/>
f35d1b
-        <tab id="websites_tab" hidden="true" label="&certmgr.tab.websites3;"/>
f35d1b
+        <tab id="websites_tab" hidden="false" label="&certmgr.tab.websites3;"/>
f35d1b
         <tab id="ca_tab" hidden="false" label="&certmgr.tab.ca;"/>
f35d1b
         <tab id="orphan_tab" hidden="true" label="&certmgr.tab.orphan2;"/>
f35d1b
 
f35d1b
--- ./esc/src/app/xpcom/rhCoolKey.cpp.fix6	2009-06-19 15:56:20.000000000 -0700
f35d1b
+++ ./esc/src/app/xpcom/rhCoolKey.cpp	2009-06-19 15:57:48.000000000 -0700
f35d1b
@@ -30,7 +30,7 @@
f35d1b
 #else
f35d1b
 #include "nsServiceManagerUtils.h"
f35d1b
 #endif
f35d1b
-
f35d1b
+#include "pipnss/nsICertOverrideService.h"
f35d1b
 #include "nsIPrefBranch.h"
f35d1b
 #include "nsIPrefService.h"
f35d1b
 #include "nsCOMPtr.h"
f35d1b
@@ -69,6 +69,7 @@
f35d1b
 #endif
f35d1b
 
f35d1b
 #define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1"
f35d1b
+#define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1"
f35d1b
 
f35d1b
 static const nsIID kIModuleIID = NS_IMODULE_IID;
f35d1b
 static const nsIID kIFactoryIID = NS_IFACTORY_IID;
f35d1b
@@ -89,6 +90,7 @@
f35d1b
 
f35d1b
 std::list< nsCOMPtr <rhIKeyNotify>  > rhCoolKey::gNotifyListeners;
f35d1b
 
f35d1b
+PRLock* rhCoolKey::certCBLock=NULL;
f35d1b
 
f35d1b
 PRBool rhCoolKey::gAutoEnrollBlankTokens = PR_FALSE; 
f35d1b
 
f35d1b
@@ -190,6 +192,13 @@
f35d1b
         mCSPListener = nsnull;
f35d1b
     #endif
f35d1b
 
f35d1b
+    certCBLock = PR_NewLock();
f35d1b
+
f35d1b
+    if(!certCBLock) {
f35d1b
+       PR_LOG( coolKeyLog, PR_LOG_ERROR, ("%s Failed to create lock exiting! \n",GetTStamp(tBuff,56)));
f35d1b
+        exit(1);
f35d1b
+    }
f35d1b
+
f35d1b
     PRBool res = InitInstance();
f35d1b
 
f35d1b
     if(res == PR_FALSE)
f35d1b
@@ -207,6 +216,10 @@
f35d1b
 
f35d1b
     char tBuff[56];
f35d1b
     PR_LOG( coolKeyLog, PR_LOG_DEBUG, ("%s rhCoolKey::~rhCoolKey: %p \n",GetTStamp(tBuff,56),this));
f35d1b
+
f35d1b
+    if(certCBLock) {
f35d1b
+        PR_DestroyLock(certCBLock);
f35d1b
+    }
f35d1b
 }
f35d1b
 
f35d1b
 void rhCoolKey::ShutDownInstance()
f35d1b
@@ -255,6 +268,212 @@
f35d1b
     return S_OK;
f35d1b
 }
f35d1b
 
f35d1b
+struct BadCertData {
f35d1b
+     PRErrorCode error; 
f35d1b
+     PRInt32 port;
f35d1b
+};  
f35d1b
+
f35d1b
+typedef struct BadCertData BadCertData;
f35d1b
+
f35d1b
+SECStatus rhCoolKey::badCertHandler(void *arg, PRFileDesc *fd)
f35d1b
+{
f35d1b
+    SECStatus    secStatus = SECFailure;
f35d1b
+    PRErrorCode    err;
f35d1b
+    char *host = NULL;
f35d1b
+    PRInt32 port = 0;
f35d1b
+    CERTCertificate *serverCert = NULL;
f35d1b
+    PRUint32 errorBits = 0;
f35d1b
+    char tBuff[56];
f35d1b
+    
f35d1b
+    PR_Lock(certCBLock);
f35d1b
+
f35d1b
+    if (!arg || !fd) {
f35d1b
+        PR_Unlock(certCBLock);
f35d1b
+        return secStatus;
f35d1b
+    }
f35d1b
+
f35d1b
+    // Retrieve callback data from NssHttpClient
f35d1b
+    // Caller cleans up this data
f35d1b
+    BadCertData *data = (BadCertData *) arg;
f35d1b
+    data->error = err = PORT_GetError();
f35d1b
+
f35d1b
+
f35d1b
+    /* If any of the cases in the switch are met, then we will proceed   */
f35d1b
+
f35d1b
+    switch (err) {
f35d1b
+    case SEC_ERROR_INVALID_AVA:
f35d1b
+    case SEC_ERROR_INVALID_TIME:
f35d1b
+    case SEC_ERROR_BAD_SIGNATURE:
f35d1b
+    case SEC_ERROR_EXPIRED_CERTIFICATE:
f35d1b
+    case SEC_ERROR_UNKNOWN_ISSUER:
f35d1b
+    case SEC_ERROR_UNTRUSTED_CERT:
f35d1b
+    case SEC_ERROR_CERT_VALID:
f35d1b
+    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
f35d1b
+    case SEC_ERROR_CRL_EXPIRED:
f35d1b
+    case SEC_ERROR_CRL_BAD_SIGNATURE:
f35d1b
+    case SEC_ERROR_EXTENSION_VALUE_INVALID:
f35d1b
+    case SEC_ERROR_CA_CERT_INVALID:
f35d1b
+    case SEC_ERROR_CERT_USAGES_INVALID:
f35d1b
+    case SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION:
f35d1b
+    case SEC_ERROR_EXTENSION_NOT_FOUND: // Added by Rob 5/21/2002
f35d1b
+        secStatus = SECSuccess;
f35d1b
+    break;
f35d1b
+    default:
f35d1b
+        secStatus = SECFailure;
f35d1b
+    break;
f35d1b
+    }
f35d1b
+
f35d1b
+    if(secStatus == SECSuccess)  {
f35d1b
+        PR_Unlock(certCBLock);
f35d1b
+        return secStatus;
f35d1b
+    }
f35d1b
+
f35d1b
+    // Collect errors to compare with override service output
f35d1b
+    switch(err) {
f35d1b
+    case SEC_ERROR_UNTRUSTED_ISSUER:
f35d1b
+        errorBits |= nsICertOverrideService::ERROR_UNTRUSTED;
f35d1b
+    break;
f35d1b
+    case SSL_ERROR_BAD_CERT_DOMAIN:
f35d1b
+        errorBits |= nsICertOverrideService::ERROR_MISMATCH;
f35d1b
+    break;
f35d1b
+    case SEC_ERROR_EXPIRED_CERTIFICATE:
f35d1b
+        errorBits |= nsICertOverrideService::ERROR_TIME;
f35d1b
+    default:
f35d1b
+    break;
f35d1b
+    };
f35d1b
+
f35d1b
+    // Now proceed to see if we have an exception.
f35d1b
+    // Get the server certificate that was rejected.
f35d1b
+    serverCert = SSL_PeerCertificate(fd);
f35d1b
+
f35d1b
+    if(!serverCert) {
f35d1b
+        PR_Unlock(certCBLock);
f35d1b
+        return secStatus;
f35d1b
+    }
f35d1b
+
f35d1b
+    port = data->port;
f35d1b
+    host = SSL_RevealURL(fd);
f35d1b
+
f35d1b
+    if(!host || port <= 0) {
f35d1b
+        PR_Unlock(certCBLock);
f35d1b
+        return secStatus;
f35d1b
+    }
f35d1b
+
f35d1b
+    PR_LOG(coolKeyLog, PR_LOG_DEBUG,
f35d1b
+                          ("%s rhCoolKey::badCertHandler enter: error: %d  url: %s port: %d \n",
f35d1b
+                          GetTStamp(tBuff,56),err,host,port)
f35d1b
+    );
f35d1b
+
f35d1b
+    PRBool isTemporaryOverride = PR_FALSE;
f35d1b
+    PRUint32 overrideBits = 0;
f35d1b
+    PRBool overrideResult = PR_FALSE;
f35d1b
+
f35d1b
+    // Use the nsICertOverrideService to see if we have
f35d1b
+    // previously trusted this certificate.
f35d1b
+    nsCOMPtr<nsICertOverrideService> overrideService =
f35d1b
+       do_GetService(NS_CERTOVERRIDE_CONTRACTID);
f35d1b
+
f35d1b
+    const nsEmbedCString nsHost(host);
f35d1b
+    nsEmbedCString hashAlg,fingerPrint;
f35d1b
+
f35d1b
+    nsresult nsrv;
f35d1b
+    unsigned char* fingerprint=NULL;
f35d1b
+    if(overrideService) {
f35d1b
+        nsrv = overrideService->GetValidityOverride((const nsACString &)nsHost,
f35d1b
+            port,(nsACString &)hashAlg,
f35d1b
+            (nsACString&)fingerPrint,&overrideBits,
f35d1b
+            &isTemporaryOverride,&overrideResult
f35d1b
+        );
f35d1b
+        if(nsrv == NS_OK) { 
f35d1b
+           PR_LOG(coolKeyLog, PR_LOG_DEBUG,
f35d1b
+               ("%s rhCoolKey::badCertHandler res %d print %s len %d bits %u temp %d alg: %s  \n",
f35d1b
+               GetTStamp(tBuff,56),overrideResult,fingerPrint.get(),
f35d1b
+               fingerPrint.Length(),overrideBits, isTemporaryOverride,hashAlg.get())
f35d1b
+           );
f35d1b
+       }
f35d1b
+
f35d1b
+       PRBool certMatches = PR_FALSE;
f35d1b
+
f35d1b
+       if( (nsrv == NS_OK) && overrideResult) {
f35d1b
+            SECItem oid;
f35d1b
+            oid.data = nsnull;
f35d1b
+            oid.len = 0;
f35d1b
+            SECStatus srv = SEC_StringToOID(nsnull, &oid,
f35d1b
+                    hashAlg.get(), hashAlg.Length());
f35d1b
+
f35d1b
+            if (srv != SECSuccess)  {
f35d1b
+               PR_Free(host);
f35d1b
+               host=NULL;
f35d1b
+               CERT_DestroyCertificate(serverCert);
f35d1b
+               serverCert=NULL;
f35d1b
+               PR_Unlock(certCBLock);
f35d1b
+               return secStatus;
f35d1b
+            }
f35d1b
+
f35d1b
+            SECOidTag oid_tag = SECOID_FindOIDTag(&oid;;
f35d1b
+
f35d1b
+            unsigned int hash_len = HASH_ResultLenByOidTag(oid_tag);
f35d1b
+            fingerprint = new unsigned char[hash_len];
f35d1b
+
f35d1b
+            if(!fingerprint)  {
f35d1b
+                CERT_DestroyCertificate(serverCert);
f35d1b
+                serverCert=NULL;
f35d1b
+                PR_Unlock(certCBLock);
f35d1b
+                return secStatus;
f35d1b
+            }
f35d1b
+
f35d1b
+            SECItem computedPrint;
f35d1b
+            memset(fingerprint, 0, sizeof fingerprint);
f35d1b
+            PK11_HashBuf(oid_tag, fingerprint,
f35d1b
+            serverCert->derCert.data, serverCert->derCert.len);
f35d1b
+            CERT_DestroyCertificate(serverCert);
f35d1b
+            serverCert=NULL;
f35d1b
+
f35d1b
+            computedPrint.data=fingerprint;
f35d1b
+            computedPrint.len=hash_len;
f35d1b
+
f35d1b
+            char *formattedPrint = CERT_Hexify(&computedPrint,1);
f35d1b
+            char *inputPrint = (char *)fingerPrint.get();
f35d1b
+
f35d1b
+            //Compare fingerprints.
f35d1b
+
f35d1b
+            if(formattedPrint && inputPrint)  {
f35d1b
+                if(!PL_strcmp(formattedPrint, inputPrint))
f35d1b
+                    certMatches = PR_TRUE;
f35d1b
+            }
f35d1b
+            PR_LOG( coolKeyLog, PR_LOG_DEBUG, ("%s certMatches: %d  \n",
f35d1b
+                GetTStamp(tBuff,56),certMatches)
f35d1b
+            );
f35d1b
+
f35d1b
+            if(formattedPrint)  {
f35d1b
+                PORT_Free(formattedPrint);
f35d1b
+                formattedPrint = NULL;
f35d1b
+            }
f35d1b
+      } else {
f35d1b
+          PR_LOG( coolKeyLog, PR_LOG_DEBUG, ("%s override test failed. \n",
f35d1b
+              GetTStamp(tBuff,56))
f35d1b
+          );
f35d1b
+      }
f35d1b
+
f35d1b
+      if( certMatches ) {
f35d1b
+         if(overrideBits | errorBits)
f35d1b
+             secStatus = SECSuccess;   
f35d1b
+      }
f35d1b
+    }
f35d1b
+
f35d1b
+    PR_Free(host);
f35d1b
+    host = NULL;
f35d1b
+    if(fingerprint)  {
f35d1b
+        delete [] fingerprint;
f35d1b
+        fingerprint = NULL;
f35d1b
+    }
f35d1b
+
f35d1b
+    PR_Unlock(certCBLock);
f35d1b
+
f35d1b
+    return secStatus;
f35d1b
+}
f35d1b
+
f35d1b
+
f35d1b
 HRESULT rhCoolKey::doSetCoolKeyConfigValue(const char *aName, const char *aValue) 
f35d1b
 {
f35d1b
 
f35d1b
@@ -340,7 +559,7 @@
f35d1b
     nssComponent
f35d1b
     = do_GetService(PSM_COMPONENT_CONTRACTID); 
f35d1b
 
f35d1b
-    CoolKeySetCallbacks(Dispatch,Reference, Release,doGetCoolKeyConfigValue ,doSetCoolKeyConfigValue);
f35d1b
+    CoolKeySetCallbacks(Dispatch,Reference, Release,doGetCoolKeyConfigValue ,doSetCoolKeyConfigValue,badCertHandler);
f35d1b
 
f35d1b
     mProxy = CreateProxyObject();
f35d1b
 
f35d1b
@@ -1262,6 +1481,38 @@
f35d1b
 }
f35d1b
 
f35d1b
 /* string GetCoolKeyIssuedTo (in unsigned long aKeyType, in string aKeyID); */
f35d1b
+NS_IMETHODIMP rhCoolKey::GetCoolKeyUID(PRUint32 aKeyType, const char *aKeyID, char **uid)
f35d1b
+{
f35d1b
+    char tBuff[56];
f35d1b
+    if (!aKeyID) {
f35d1b
+        return NS_ERROR_FAILURE;
f35d1b
+    }
f35d1b
+
f35d1b
+    AutoCoolKey key(aKeyType, ( char *)aKeyID);
f35d1b
+
f35d1b
+    char buff[512];
f35d1b
+    int bufLength = 512;
f35d1b
+    buff[0] = 0;
f35d1b
+   
f35d1b
+    CoolKeyGetUID(&key, (char *) buff, bufLength);
f35d1b
+
f35d1b
+    if(!buff[0])
f35d1b
+    {
f35d1b
+        return NS_OK;
f35d1b
+    }
f35d1b
+
f35d1b
+    PR_LOG(coolKeyLog,PR_LOG_DEBUG,("%s rhCoolKey::RhGetCoolKeyGetUID  %s \n",GetTStamp(tBuff,56),(char *) buff));
f35d1b
+
f35d1b
+    char *temp =  (char *) nsMemory::Clone(buff,sizeof(char) * strlen(buff) + 1);
f35d1b
+
f35d1b
+    *uid = temp;
f35d1b
+
f35d1b
+    return NS_OK;
f35d1b
+
f35d1b
+}
f35d1b
+
f35d1b
+
f35d1b
+/* string GetCoolKeyIssuedTo (in unsigned long aKeyType, in string aKeyID); */
f35d1b
 NS_IMETHODIMP rhCoolKey::GetCoolKeyIssuedTo(PRUint32 aKeyType, const char *aKeyID, char **issuedTo)
f35d1b
 {
f35d1b
     char tBuff[56];
f35d1b
--- ./esc/src/app/xpcom/rhICoolKey.idl.fix6	2009-06-19 16:00:20.000000000 -0700
f35d1b
+++ ./esc/src/app/xpcom/rhICoolKey.idl	2009-06-19 16:00:32.000000000 -0700
f35d1b
@@ -66,6 +66,8 @@
f35d1b
 
f35d1b
     string GetCoolKeyCertInfo(in unsigned long aKeyType, in string aKeyID, in string aCertNickname);
f35d1b
 
f35d1b
+    string GetCoolKeyUID(in unsigned long aKeyType, in string aKeyID);
f35d1b
+
f35d1b
     string GetCoolKeyIssuedTo(in unsigned long aKeyType, in string aKeyID);
f35d1b
    
f35d1b
     string GetCoolKeyIssuer(in unsigned long aKeyType, in string aKeyID);
f35d1b
--- ./esc/src/app/xpcom/Makefile.sdk.fix6	2009-06-19 15:54:52.000000000 -0700
f35d1b
+++ ./esc/src/app/xpcom/Makefile.sdk	2009-06-19 15:55:43.000000000 -0700
f35d1b
@@ -109,7 +109,7 @@
f35d1b
 CPPFLAGS += -fno-rtti \
f35d1b
                 -fno-exceptions \
f35d1b
                 -fshort-wchar -fPIC
f35d1b
-GECKO_LD_LIBS=-L$(GECKO_SDK_PATH)/lib    $(GECKO_SDK_PATH)/lib/libxpcomglue.a -lnss3 -lcrmf -lssl3 -lsmime3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl
f35d1b
+GECKO_LD_LIBS=-L$(GECKO_SDK_PATH)/lib    $(GECKO_SDK_PATH)/lib/libxpcomglue.a -lnssutil3 -lnss3 -lcrmf -lssl3 -lsmime3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl
f35d1b
 endif
f35d1b
 
f35d1b
 ifeq ($(OS_ARCH),WINNT)
f35d1b
@@ -145,7 +145,7 @@
f35d1b
 GECKO_INCLUDES		+= -I $(GECKO_SDK_PATH)/sdk/include
f35d1b
 OBJECT			= rhCoolKey.obj
f35d1b
 OBJECTCSP		= CoolKeyCSP.obj 
f35d1b
-COOL_LDFLAGS		=   -IMPLIB:fake-import /LIBPATH:$(CORE_DIST)/lib ckymanager.lib httpchunked.lib $(GECKO_LD_LIBS) nss3.lib ssl3.lib smime3.lib softokn3.lib  /LIBPATH:$(CKY_LIB_LDD) libckyapplet.lib  crypt32.lib kernel32.lib user32.lib gdi32.lib winmm.lib wsock32.lib advapi32.lib /NODEFAULTLIB:libc.lib
f35d1b
+COOL_LDFLAGS		=   -IMPLIB:fake-import /LIBPATH:$(CORE_DIST)/lib ckymanager.lib httpchunked.lib $(GECKO_LD_LIBS) nssutil3.lib nss3.lib ssl3.lib smime3.lib softokn3.lib  /LIBPATH:$(CKY_LIB_LDD) libckyapplet.lib  crypt32.lib kernel32.lib user32.lib gdi32.lib winmm.lib wsock32.lib advapi32.lib /NODEFAULTLIB:libc.lib
f35d1b
 endif
f35d1b
 
f35d1b
 ifeq ($(OS_ARCH),Darwin)
f35d1b
--- ./esc/src/app/xpcom/rhCoolKey.h.fix6	2009-06-19 15:58:21.000000000 -0700
f35d1b
+++ ./esc/src/app/xpcom/rhCoolKey.h	2009-06-19 15:58:28.000000000 -0700
f35d1b
@@ -22,6 +22,15 @@
f35d1b
 #include "nsIGenericFactory.h"
f35d1b
 #include "nsEmbedString.h"
f35d1b
 #include <list>
f35d1b
+#include "nspr.h"
f35d1b
+#include "prio.h"
f35d1b
+#include "ssl.h"
f35d1b
+#include "pk11func.h"
f35d1b
+#include "cert.h"
f35d1b
+#include "sslerr.h"
f35d1b
+#include "secerr.h"
f35d1b
+#include "sechash.h"
f35d1b
+
f35d1b
 #include "CoolKey.h"
f35d1b
 #include "nsCOMPtr.h"
f35d1b
 #include "nsIObserver.h"
f35d1b
@@ -92,6 +101,7 @@
f35d1b
 
f35d1b
     static HRESULT doSetCoolKeyConfigValue(const char *aName, const char *aValue); 
f35d1b
     static const char *doGetCoolKeyConfigValue(const char *aName );
f35d1b
+    static SECStatus badCertHandler(void *arg, PRFileDesc *fd);
f35d1b
 
f35d1b
 protected:
f35d1b
   /* additional members */
f35d1b
@@ -107,6 +117,8 @@
f35d1b
 
f35d1b
     static std::list< nsCOMPtr <rhIKeyNotify> > gNotifyListeners;
f35d1b
 
f35d1b
+    static PRLock* certCBLock;
f35d1b
+
f35d1b
     rhICoolKey* mProxy;
f35d1b
 
f35d1b
     static PRBool      gAutoEnrollBlankTokens;